[CRUC-8163] Missing permission check in review coverage REST endpoint - CVE-2017-18035 - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Low
Resolution: Fixed
Affects Version/s: 4.5.0
Fix Version/s: 4.5.1, 4.6.0
Component/s: None
Labels:

Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The /rest/review-coverage-chart/1.0/data/<repository_name>/.json resource in Atlassian Fisheye and Crucible before version 4.5.1 and 4.6.0 was missing a permissions check, this allows remote attackers who do not have access to a particular repository to determine its existence and access review coverage statistics for it.

Affected versions:

Older than 4.5.1

Fix versions:

4.5.1, 4.6.0

Attachments

Issue Links

was cloned as

FE-6996 Missing permission check in review coverage REST endpoint - CVE-2017-18035

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Adam Slaski

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jan/2018 10:44 AM

Updated:: 01/Feb/2018 10:49 AM

Resolved:: 18/Jan/2018 10:53 AM